Microsoft happy with progress in securing products

The past two or three weeks have been pretty bad ones for Microsoft but the operations manager of the company's security response centre believes that it is following the right road to making its products secure.

Iain Mulholland said security could not be ensured overnight and, as proof of progress which the Trustworthy Computing Initiative, set in place by the company's co-founder Bill Gates, had made, he pointed to the fact that Windows Server 2003 has had less vulnerabilities than Windows Server 2000 in a comparable period.

He defended the time which the company takes to release patches for vulnerabilities - most recently, 200 days were taken to patch a vulnerability in Abstract Syntax Notation One, a language which defines the way data is sent across dissimilar communication systems - by saying that the quality of the patch had to be ensured.

Any patch had to be tested against at least 1000 applications as there were that many that were being run by various businesses on its operating systems, Mulholland said.

"We have more than 100 million users and if a patch breaks something on even one percent of those machines, it's a fairly big number. Hence, we have to take a lot of care to produce a quality patch," he said.

Throwing more resources, be it people or money, at a vulnerability would not yield better results, he claimed.

Asked why the company, which has cash reserves in the region of $US40 billion, did not put in place a scheme to pay individual researchers for finding vulnerabilities in its products, Mulholland said researchers would prefer recognition instead.

"I may sound naive but they're doing it because people want to do the right thing," he said.

Organisations or individuals who inform Microsoft about any vulnerability found in its products and wait until patches are released before they give out the details of the vulnerability "are rewarded by having the name of the researcher and company acknowledged in the security advisory put out by Microsoft. They consider that sufficient reward," Mulholland said.

On the other hand, Microsoft has offered huge bounties to those who turn in virus/worm creators. Mulholland claimed this was an entirely different scenario. "These people (virus/worm creators) have materially damaged our customers, that's why we offer rewards," he said.

He justified the stance the company has taken over the recent source code leak, saying "we have a moral right to protect our copyright."

Microsoft has sent letters of warning to some people who have downloaded the code and started using alerts on many peer-to-peer clients where illegal sharing of the source code has occurred.

Mulholland said the leak was "a very serious legal problem. We have to do what is right and enforce our copyright."

He did not agree that an aggressive stance could turn out to be counter-productive, even though this has often been the case in the past.